Documentation ¶
Overview ¶
Package v1 contains API Schema definitions for the policies v1 API group +kubebuilder:object:generate=true +groupName=policies.kubewarden.io
Index ¶
- Constants
- Variables
- type AdmissionPolicy
- func (r *AdmissionPolicy) CopyInto(policy *Policy)
- func (in *AdmissionPolicy) DeepCopy() *AdmissionPolicy
- func (in *AdmissionPolicy) DeepCopyInto(out *AdmissionPolicy)
- func (in *AdmissionPolicy) DeepCopyObject() runtime.Object
- func (r *AdmissionPolicy) Default()
- func (r *AdmissionPolicy) GetBackgroundAudit() bool
- func (r *AdmissionPolicy) GetCategory() (string, bool)
- func (r *AdmissionPolicy) GetContextAwareResources() []ContextAwareResource
- func (r *AdmissionPolicy) GetDescription() (string, bool)
- func (r *AdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType
- func (r *AdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType
- func (r *AdmissionPolicy) GetModule() string
- func (r *AdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta
- func (r *AdmissionPolicy) GetObjectSelector() *metav1.LabelSelector
- func (r *AdmissionPolicy) GetPolicyMode() PolicyMode
- func (r *AdmissionPolicy) GetPolicyServer() string
- func (r *AdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations
- func (r *AdmissionPolicy) GetSettings() runtime.RawExtension
- func (r *AdmissionPolicy) GetSeverity() (string, bool)
- func (r *AdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass
- func (r *AdmissionPolicy) GetStatus() *PolicyStatus
- func (r *AdmissionPolicy) GetTimeoutSeconds() *int32
- func (r *AdmissionPolicy) GetTitle() (string, bool)
- func (r *AdmissionPolicy) GetUniqueName() string
- func (r *AdmissionPolicy) GetUpdatedNamespaceSelector(string) *metav1.LabelSelector
- func (r *AdmissionPolicy) IsContextAware() bool
- func (r *AdmissionPolicy) IsMutating() bool
- func (r *AdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)
- func (r *AdmissionPolicy) SetStatus(status PolicyStatusEnum)
- func (r *AdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error
- func (r *AdmissionPolicy) ValidateCreate() error
- func (r *AdmissionPolicy) ValidateDelete() error
- func (r *AdmissionPolicy) ValidateUpdate(old runtime.Object) error
- type AdmissionPolicyList
- type AdmissionPolicySpec
- type ClusterAdmissionPolicy
- func (r *ClusterAdmissionPolicy) CopyInto(policy *Policy)
- func (in *ClusterAdmissionPolicy) DeepCopy() *ClusterAdmissionPolicy
- func (in *ClusterAdmissionPolicy) DeepCopyInto(out *ClusterAdmissionPolicy)
- func (in *ClusterAdmissionPolicy) DeepCopyObject() runtime.Object
- func (r *ClusterAdmissionPolicy) Default()
- func (r *ClusterAdmissionPolicy) GetBackgroundAudit() bool
- func (r *ClusterAdmissionPolicy) GetCategory() (string, bool)
- func (r *ClusterAdmissionPolicy) GetContextAwareResources() []ContextAwareResource
- func (r *ClusterAdmissionPolicy) GetDescription() (string, bool)
- func (r *ClusterAdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType
- func (r *ClusterAdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType
- func (r *ClusterAdmissionPolicy) GetModule() string
- func (r *ClusterAdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta
- func (r *ClusterAdmissionPolicy) GetObjectSelector() *metav1.LabelSelector
- func (r *ClusterAdmissionPolicy) GetPolicyMode() PolicyMode
- func (r *ClusterAdmissionPolicy) GetPolicyServer() string
- func (r *ClusterAdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations
- func (r *ClusterAdmissionPolicy) GetSettings() runtime.RawExtension
- func (r *ClusterAdmissionPolicy) GetSeverity() (string, bool)
- func (r *ClusterAdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass
- func (r *ClusterAdmissionPolicy) GetStatus() *PolicyStatus
- func (r *ClusterAdmissionPolicy) GetTimeoutSeconds() *int32
- func (r *ClusterAdmissionPolicy) GetTitle() (string, bool)
- func (r *ClusterAdmissionPolicy) GetUniqueName() string
- func (r *ClusterAdmissionPolicy) GetUpdatedNamespaceSelector(deploymentNamespace string) *metav1.LabelSelector
- func (r *ClusterAdmissionPolicy) IsContextAware() bool
- func (r *ClusterAdmissionPolicy) IsMutating() bool
- func (r *ClusterAdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)
- func (r *ClusterAdmissionPolicy) SetStatus(status PolicyStatusEnum)
- func (r *ClusterAdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error
- func (r *ClusterAdmissionPolicy) ValidateCreate() error
- func (r *ClusterAdmissionPolicy) ValidateDelete() error
- func (r *ClusterAdmissionPolicy) ValidateUpdate(old runtime.Object) error
- type ClusterAdmissionPolicyList
- type ClusterAdmissionPolicySpec
- type ContextAwareResource
- type Policy
- type PolicyConditionType
- type PolicyMode
- type PolicyModeStatus
- type PolicyServer
- func (ps *PolicyServer) AppLabel() string
- func (in *PolicyServer) DeepCopy() *PolicyServer
- func (in *PolicyServer) DeepCopyInto(out *PolicyServer)
- func (in *PolicyServer) DeepCopyObject() runtime.Object
- func (ps *PolicyServer) Default()
- func (ps *PolicyServer) NameWithPrefix() string
- func (ps *PolicyServer) SetupWebhookWithManager(mgr ctrl.Manager) error
- type PolicyServerConditionType
- type PolicyServerList
- type PolicyServerSecurity
- type PolicyServerSpec
- type PolicyServerStatus
- type PolicySpec
- type PolicyStatus
- type PolicyStatusEnum
- type ReconciliationTransitionReason
Constants ¶
const ( AnnotationSeverity string = "io.kubewarden.policy.severity" AnnotationCategory string = "io.kubewarden.policy.category" AnnotationTitle string = "io.artifacthub.displayName" AnnotationDescription string = "io.kubewarden.policy.description" )
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "policies.kubewarden.io", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type AdmissionPolicy ¶
type AdmissionPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec AdmissionPolicySpec `json:"spec,omitempty"` Status PolicyStatus `json:"status,omitempty"` }
AdmissionPolicy is the Schema for the admissionpolicies API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Namespaced +kubebuilder:storageversion +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="BackgroundAudit",type=boolean,JSONPath=`.spec.backgroundAudit`,description="Whether the policy is used in audit checks" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:printcolumn:name="Severity",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.severity']",priority=1 +kubebuilder:printcolumn:name="Category",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.category']",priority=1
func (*AdmissionPolicy) CopyInto ¶
func (r *AdmissionPolicy) CopyInto(policy *Policy)
func (*AdmissionPolicy) DeepCopy ¶
func (in *AdmissionPolicy) DeepCopy() *AdmissionPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicy.
func (*AdmissionPolicy) DeepCopyInto ¶
func (in *AdmissionPolicy) DeepCopyInto(out *AdmissionPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AdmissionPolicy) DeepCopyObject ¶
func (in *AdmissionPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*AdmissionPolicy) Default ¶
func (r *AdmissionPolicy) Default()
Default implements webhook.Defaulter so a webhook will be registered for the type
func (*AdmissionPolicy) GetBackgroundAudit ¶
func (r *AdmissionPolicy) GetBackgroundAudit() bool
func (*AdmissionPolicy) GetCategory ¶
func (r *AdmissionPolicy) GetCategory() (string, bool)
func (*AdmissionPolicy) GetContextAwareResources ¶
func (r *AdmissionPolicy) GetContextAwareResources() []ContextAwareResource
func (*AdmissionPolicy) GetDescription ¶
func (r *AdmissionPolicy) GetDescription() (string, bool)
func (*AdmissionPolicy) GetFailurePolicy ¶
func (r *AdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType
func (*AdmissionPolicy) GetMatchPolicy ¶
func (r *AdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType
func (*AdmissionPolicy) GetModule ¶
func (r *AdmissionPolicy) GetModule() string
func (*AdmissionPolicy) GetObjectMeta ¶
func (r *AdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta
func (*AdmissionPolicy) GetObjectSelector ¶
func (r *AdmissionPolicy) GetObjectSelector() *metav1.LabelSelector
func (*AdmissionPolicy) GetPolicyMode ¶
func (r *AdmissionPolicy) GetPolicyMode() PolicyMode
func (*AdmissionPolicy) GetPolicyServer ¶
func (r *AdmissionPolicy) GetPolicyServer() string
func (*AdmissionPolicy) GetRules ¶
func (r *AdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations
GetRules returns all rules. Scope is namespaced since AdmissionPolicy just watch for namespace resources
func (*AdmissionPolicy) GetSettings ¶
func (r *AdmissionPolicy) GetSettings() runtime.RawExtension
func (*AdmissionPolicy) GetSeverity ¶
func (r *AdmissionPolicy) GetSeverity() (string, bool)
func (*AdmissionPolicy) GetSideEffects ¶
func (r *AdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass
func (*AdmissionPolicy) GetStatus ¶
func (r *AdmissionPolicy) GetStatus() *PolicyStatus
func (*AdmissionPolicy) GetTimeoutSeconds ¶
func (r *AdmissionPolicy) GetTimeoutSeconds() *int32
func (*AdmissionPolicy) GetTitle ¶
func (r *AdmissionPolicy) GetTitle() (string, bool)
func (*AdmissionPolicy) GetUniqueName ¶
func (r *AdmissionPolicy) GetUniqueName() string
func (*AdmissionPolicy) GetUpdatedNamespaceSelector ¶
func (r *AdmissionPolicy) GetUpdatedNamespaceSelector(string) *metav1.LabelSelector
GetNamespaceSelector returns the namespace of the AdmissionPolicy since it is the only namespace we want the policy to be applied to.
func (*AdmissionPolicy) IsContextAware ¶
func (r *AdmissionPolicy) IsContextAware() bool
func (*AdmissionPolicy) IsMutating ¶
func (r *AdmissionPolicy) IsMutating() bool
func (*AdmissionPolicy) SetPolicyModeStatus ¶
func (r *AdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)
func (*AdmissionPolicy) SetStatus ¶
func (r *AdmissionPolicy) SetStatus(status PolicyStatusEnum)
func (*AdmissionPolicy) SetupWebhookWithManager ¶
func (r *AdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error
func (*AdmissionPolicy) ValidateCreate ¶
func (r *AdmissionPolicy) ValidateCreate() error
ValidateCreate implements webhook.Validator so a webhook will be registered for the type
func (*AdmissionPolicy) ValidateDelete ¶
func (r *AdmissionPolicy) ValidateDelete() error
ValidateDelete implements webhook.Validator so a webhook will be registered for the type
func (*AdmissionPolicy) ValidateUpdate ¶
func (r *AdmissionPolicy) ValidateUpdate(old runtime.Object) error
ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
type AdmissionPolicyList ¶
type AdmissionPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []AdmissionPolicy `json:"items"` }
AdmissionPolicyList contains a list of AdmissionPolicy
func (*AdmissionPolicyList) DeepCopy ¶
func (in *AdmissionPolicyList) DeepCopy() *AdmissionPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicyList.
func (*AdmissionPolicyList) DeepCopyInto ¶
func (in *AdmissionPolicyList) DeepCopyInto(out *AdmissionPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*AdmissionPolicyList) DeepCopyObject ¶
func (in *AdmissionPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type AdmissionPolicySpec ¶
type AdmissionPolicySpec struct {
PolicySpec `json:""` //nolint
}
AdmissionPolicySpec defines the desired state of AdmissionPolicy
func (*AdmissionPolicySpec) DeepCopy ¶
func (in *AdmissionPolicySpec) DeepCopy() *AdmissionPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionPolicySpec.
func (*AdmissionPolicySpec) DeepCopyInto ¶
func (in *AdmissionPolicySpec) DeepCopyInto(out *AdmissionPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ClusterAdmissionPolicy ¶
type ClusterAdmissionPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec ClusterAdmissionPolicySpec `json:"spec,omitempty"` Status PolicyStatus `json:"status,omitempty"` }
ClusterAdmissionPolicy is the Schema for the clusteradmissionpolicies API +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:scope=Cluster +kubebuilder:storageversion +kubebuilder:printcolumn:name="Policy Server",type=string,JSONPath=`.spec.policyServer`,description="Bound to Policy Server" +kubebuilder:printcolumn:name="Mutating",type=boolean,JSONPath=`.spec.mutating`,description="Whether the policy is mutating" +kubebuilder:printcolumn:name="BackgroundAudit",type=boolean,JSONPath=`.spec.backgroundAudit`,description="Whether the policy is used in audit checks" +kubebuilder:printcolumn:name="Mode",type=string,JSONPath=`.spec.mode`,description="Policy deployment mode" +kubebuilder:printcolumn:name="Observed mode",type=string,JSONPath=`.status.mode`,description="Policy deployment mode observed on the assigned Policy Server" +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.policyStatus`,description="Status of the policy" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:printcolumn:name="Severity",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.severity']",priority=1 +kubebuilder:printcolumn:name="Category",type=string,JSONPath=".metadata.annotations['io\\.kubewarden\\.policy\\.category']",priority=1
func (*ClusterAdmissionPolicy) CopyInto ¶
func (r *ClusterAdmissionPolicy) CopyInto(policy *Policy)
func (*ClusterAdmissionPolicy) DeepCopy ¶
func (in *ClusterAdmissionPolicy) DeepCopy() *ClusterAdmissionPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicy.
func (*ClusterAdmissionPolicy) DeepCopyInto ¶
func (in *ClusterAdmissionPolicy) DeepCopyInto(out *ClusterAdmissionPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterAdmissionPolicy) DeepCopyObject ¶
func (in *ClusterAdmissionPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ClusterAdmissionPolicy) Default ¶
func (r *ClusterAdmissionPolicy) Default()
Default implements webhook.Defaulter so a webhook will be registered for the type
func (*ClusterAdmissionPolicy) GetBackgroundAudit ¶
func (r *ClusterAdmissionPolicy) GetBackgroundAudit() bool
func (*ClusterAdmissionPolicy) GetCategory ¶
func (r *ClusterAdmissionPolicy) GetCategory() (string, bool)
func (*ClusterAdmissionPolicy) GetContextAwareResources ¶
func (r *ClusterAdmissionPolicy) GetContextAwareResources() []ContextAwareResource
func (*ClusterAdmissionPolicy) GetDescription ¶
func (r *ClusterAdmissionPolicy) GetDescription() (string, bool)
func (*ClusterAdmissionPolicy) GetFailurePolicy ¶
func (r *ClusterAdmissionPolicy) GetFailurePolicy() *admissionregistrationv1.FailurePolicyType
func (*ClusterAdmissionPolicy) GetMatchPolicy ¶
func (r *ClusterAdmissionPolicy) GetMatchPolicy() *admissionregistrationv1.MatchPolicyType
func (*ClusterAdmissionPolicy) GetModule ¶
func (r *ClusterAdmissionPolicy) GetModule() string
func (*ClusterAdmissionPolicy) GetObjectMeta ¶
func (r *ClusterAdmissionPolicy) GetObjectMeta() *metav1.ObjectMeta
func (*ClusterAdmissionPolicy) GetObjectSelector ¶
func (r *ClusterAdmissionPolicy) GetObjectSelector() *metav1.LabelSelector
func (*ClusterAdmissionPolicy) GetPolicyMode ¶
func (r *ClusterAdmissionPolicy) GetPolicyMode() PolicyMode
func (*ClusterAdmissionPolicy) GetPolicyServer ¶
func (r *ClusterAdmissionPolicy) GetPolicyServer() string
func (*ClusterAdmissionPolicy) GetRules ¶
func (r *ClusterAdmissionPolicy) GetRules() []admissionregistrationv1.RuleWithOperations
func (*ClusterAdmissionPolicy) GetSettings ¶
func (r *ClusterAdmissionPolicy) GetSettings() runtime.RawExtension
func (*ClusterAdmissionPolicy) GetSeverity ¶
func (r *ClusterAdmissionPolicy) GetSeverity() (string, bool)
func (*ClusterAdmissionPolicy) GetSideEffects ¶
func (r *ClusterAdmissionPolicy) GetSideEffects() *admissionregistrationv1.SideEffectClass
func (*ClusterAdmissionPolicy) GetStatus ¶
func (r *ClusterAdmissionPolicy) GetStatus() *PolicyStatus
func (*ClusterAdmissionPolicy) GetTimeoutSeconds ¶
func (r *ClusterAdmissionPolicy) GetTimeoutSeconds() *int32
func (*ClusterAdmissionPolicy) GetTitle ¶
func (r *ClusterAdmissionPolicy) GetTitle() (string, bool)
func (*ClusterAdmissionPolicy) GetUniqueName ¶
func (r *ClusterAdmissionPolicy) GetUniqueName() string
func (*ClusterAdmissionPolicy) GetUpdatedNamespaceSelector ¶
func (r *ClusterAdmissionPolicy) GetUpdatedNamespaceSelector(deploymentNamespace string) *metav1.LabelSelector
func (*ClusterAdmissionPolicy) IsContextAware ¶
func (r *ClusterAdmissionPolicy) IsContextAware() bool
func (*ClusterAdmissionPolicy) IsMutating ¶
func (r *ClusterAdmissionPolicy) IsMutating() bool
func (*ClusterAdmissionPolicy) SetPolicyModeStatus ¶
func (r *ClusterAdmissionPolicy) SetPolicyModeStatus(policyMode PolicyModeStatus)
func (*ClusterAdmissionPolicy) SetStatus ¶
func (r *ClusterAdmissionPolicy) SetStatus(status PolicyStatusEnum)
func (*ClusterAdmissionPolicy) SetupWebhookWithManager ¶
func (r *ClusterAdmissionPolicy) SetupWebhookWithManager(mgr ctrl.Manager) error
func (*ClusterAdmissionPolicy) ValidateCreate ¶
func (r *ClusterAdmissionPolicy) ValidateCreate() error
ValidateCreate implements webhook.Validator so a webhook will be registered for the type
func (*ClusterAdmissionPolicy) ValidateDelete ¶
func (r *ClusterAdmissionPolicy) ValidateDelete() error
ValidateDelete implements webhook.Validator so a webhook will be registered for the type
func (*ClusterAdmissionPolicy) ValidateUpdate ¶
func (r *ClusterAdmissionPolicy) ValidateUpdate(old runtime.Object) error
ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
type ClusterAdmissionPolicyList ¶
type ClusterAdmissionPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []ClusterAdmissionPolicy `json:"items"` }
ClusterAdmissionPolicyList contains a list of ClusterAdmissionPolicy +kubebuilder:object:root=true
func (*ClusterAdmissionPolicyList) DeepCopy ¶
func (in *ClusterAdmissionPolicyList) DeepCopy() *ClusterAdmissionPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicyList.
func (*ClusterAdmissionPolicyList) DeepCopyInto ¶
func (in *ClusterAdmissionPolicyList) DeepCopyInto(out *ClusterAdmissionPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterAdmissionPolicyList) DeepCopyObject ¶
func (in *ClusterAdmissionPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ClusterAdmissionPolicySpec ¶
type ClusterAdmissionPolicySpec struct { PolicySpec `json:""` //nolint // NamespaceSelector decides whether to run the webhook on an object based // on whether the namespace for that object matches the selector. If the // object itself is a namespace, the matching is performed on // object.metadata.labels. If the object is another cluster scoped resource, // it never skips the webhook. // // For example, to run the webhook on any objects whose namespace is not // associated with "runlevel" of "0" or "1"; you will set the selector as // follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "runlevel", // "operator": "NotIn", // "values": [ // "0", // "1" // ] // } // ] // } // // If instead you want to only run the webhook on any objects whose // namespace is associated with the "environment" of "prod" or "staging"; // you will set the selector as follows: // "namespaceSelector": { // "matchExpressions": [ // { // "key": "environment", // "operator": "In", // "values": [ // "prod", // "staging" // ] // } // ] // } // // See // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels // for more examples of label selectors. // // Default to the empty LabelSelector, which matches everything. // +optional NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` // List of Kubernetes resources the policy is allowed to access at evaluation time. // Access to these resources is done using the `ServiceAccount` of the PolicyServer // the policy is assigned to. // +optional ContextAwareResources []ContextAwareResource `json:"contextAwareResources,omitempty"` }
ClusterAdmissionPolicySpec defines the desired state of ClusterAdmissionPolicy
func (*ClusterAdmissionPolicySpec) DeepCopy ¶
func (in *ClusterAdmissionPolicySpec) DeepCopy() *ClusterAdmissionPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionPolicySpec.
func (*ClusterAdmissionPolicySpec) DeepCopyInto ¶
func (in *ClusterAdmissionPolicySpec) DeepCopyInto(out *ClusterAdmissionPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ContextAwareResource ¶
type ContextAwareResource struct { // apiVersion of the resource (v1 for core group, groupName/groupVersions for other). APIVersion string `json:"apiVersion"` // Singular PascalCase name of the resource Kind string `json:"kind"` }
ContextAwareResource identifies a Kubernetes resource
func (*ContextAwareResource) DeepCopy ¶
func (in *ContextAwareResource) DeepCopy() *ContextAwareResource
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextAwareResource.
func (*ContextAwareResource) DeepCopyInto ¶
func (in *ContextAwareResource) DeepCopyInto(out *ContextAwareResource)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Policy ¶
type Policy interface { client.Object GetPolicyMode() PolicyMode SetPolicyModeStatus(policyMode PolicyModeStatus) GetModule() string IsMutating() bool IsContextAware() bool GetSettings() runtime.RawExtension GetStatus() *PolicyStatus SetStatus(status PolicyStatusEnum) CopyInto(object *Policy) GetSideEffects() *admissionregistrationv1.SideEffectClass GetRules() []admissionregistrationv1.RuleWithOperations GetFailurePolicy() *admissionregistrationv1.FailurePolicyType GetMatchPolicy() *admissionregistrationv1.MatchPolicyType GetUpdatedNamespaceSelector(deploymentNamespace string) *metav1.LabelSelector GetObjectSelector() *metav1.LabelSelector GetTimeoutSeconds() *int32 GetObjectMeta() *metav1.ObjectMeta GetPolicyServer() string GetUniqueName() string GetContextAwareResources() []ContextAwareResource GetBackgroundAudit() bool GetSeverity() (string, bool) GetCategory() (string, bool) GetTitle() (string, bool) GetDescription() (string, bool) }
+kubebuilder:object:generate:=false
type PolicyConditionType ¶
type PolicyConditionType string
const ( // PolicyActive represents the condition of the Policy admission // webhook been registered PolicyActive PolicyConditionType = "PolicyActive" // PolicyServerConfigurationUpToDate represents the condition of the // associated Policy Server having the latest configuration up to // date regarding this policy PolicyServerConfigurationUpToDate PolicyConditionType = "PolicyServerConfigurationUpToDate" // PolicyUniquelyReachable represents the condition of the latest // applied policy being uniquely accessible. This means that after a // policy has been deployed or modified, after this condition is met // for this policy, only the latest instance of the policy can be // reached through policy server where it is scheduled. PolicyUniquelyReachable PolicyConditionType = "PolicyUniquelyReachable" )
type PolicyModeStatus ¶
type PolicyModeStatus string
+kubebuilder:validation:Enum=protect;monitor;unknown
const ( PolicyModeStatusProtect PolicyModeStatus = "protect" PolicyModeStatusMonitor PolicyModeStatus = "monitor" PolicyModeStatusUnknown PolicyModeStatus = "unknown" )
type PolicyServer ¶
type PolicyServer struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec PolicyServerSpec `json:"spec,omitempty"` Status PolicyServerStatus `json:"status,omitempty"` }
PolicyServer is the Schema for the policyservers API
func (*PolicyServer) AppLabel ¶
func (ps *PolicyServer) AppLabel() string
func (*PolicyServer) DeepCopy ¶
func (in *PolicyServer) DeepCopy() *PolicyServer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServer.
func (*PolicyServer) DeepCopyInto ¶
func (in *PolicyServer) DeepCopyInto(out *PolicyServer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyServer) DeepCopyObject ¶
func (in *PolicyServer) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*PolicyServer) Default ¶
func (ps *PolicyServer) Default()
Default implements webhook.Defaulter so a webhook will be registered for the type
func (*PolicyServer) NameWithPrefix ¶
func (ps *PolicyServer) NameWithPrefix() string
func (*PolicyServer) SetupWebhookWithManager ¶
func (ps *PolicyServer) SetupWebhookWithManager(mgr ctrl.Manager) error
type PolicyServerConditionType ¶
type PolicyServerConditionType string
const ( // PolicyServerCASecretReconciled represents the condition of the // Policy Server Secret reconciliation PolicyServerCASecretReconciled PolicyServerConditionType = "CASecretReconciled" // PolicyServerCARootSecretReconciled represents the condition of the // Policy Server CA Root Secret reconciliation PolicyServerCARootSecretReconciled PolicyServerConditionType = "CARootSecretReconciled" // PolicyServerConfigMapReconciled represents the condition of the // Policy Server ConfigMap reconciliation PolicyServerConfigMapReconciled PolicyServerConditionType = "ConfigMapReconciled" // PolicyServerDeploymentReconciled represents the condition of the // Policy Server Deployment reconciliation PolicyServerDeploymentReconciled PolicyServerConditionType = "DeploymentReconciled" // PolicyServerServiceReconciled represents the condition of the // Policy Server Service reconciliation PolicyServerServiceReconciled PolicyServerConditionType = "ServiceReconciled" )
type PolicyServerList ¶
type PolicyServerList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []PolicyServer `json:"items"` }
PolicyServerList contains a list of PolicyServer
func (*PolicyServerList) DeepCopy ¶
func (in *PolicyServerList) DeepCopy() *PolicyServerList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerList.
func (*PolicyServerList) DeepCopyInto ¶
func (in *PolicyServerList) DeepCopyInto(out *PolicyServerList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyServerList) DeepCopyObject ¶
func (in *PolicyServerList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicyServerSecurity ¶
type PolicyServerSecurity struct { // securityContext definition to be used in the policy server container // +optional Container *corev1.SecurityContext `json:"container,omitempty"` // podSecurityContext definition to be used in the policy server Pod // +optional Pod *corev1.PodSecurityContext `json:"pod,omitempty"` }
PolicyServerSecurity defines securityContext configuration to be used in the Policy Server workload
func (*PolicyServerSecurity) DeepCopy ¶
func (in *PolicyServerSecurity) DeepCopy() *PolicyServerSecurity
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerSecurity.
func (*PolicyServerSecurity) DeepCopyInto ¶
func (in *PolicyServerSecurity) DeepCopyInto(out *PolicyServerSecurity)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyServerSpec ¶
type PolicyServerSpec struct { // Docker image name. Image string `json:"image"` // Replicas is the number of desired replicas. Replicas int32 `json:"replicas"` // Annotations is an unstructured key value map stored with a resource that may be // set by external tools to store and retrieve arbitrary metadata. They are not // queryable and should be preserved when modifying objects. // More info: http://kubernetes.io/docs/user-guide/annotations // +optional Annotations map[string]string `json:"annotations,omitempty"` // List of environment variables to set in the container. // +optional Env []corev1.EnvVar `json:"env,omitempty"` // Name of the service account associated with the policy server. // Namespace service account will be used if not specified. // +optional ServiceAccountName string `json:"serviceAccountName,omitempty"` // Name of ImagePullSecret secret in the same namespace, used for pulling // policies from repositories. // +optional ImagePullSecret string `json:"imagePullSecret,omitempty"` // List of insecure URIs to policy repositories. // +optional InsecureSources []string `json:"insecureSources,omitempty"` // Key value map of registry URIs endpoints to a list of their associated // PEM encoded certificate authorities that have to be used to verify the // certificate used by the endpoint. // +optional SourceAuthorities map[string][]string `json:"sourceAuthorities,omitempty"` // Name of VerificationConfig configmap in the same namespace, containing // Sigstore verification configuration. The configuration must be under a // key named verification-config in the Configmap. // +optional VerificationConfig string `json:"verificationConfig,omitempty"` // Security configuration to be used in the Policy Server workload. // The field allows different configurations for the pod and containers. // This configuration will not be used in containers added by other // controllers (e.g. telemetry sidecars) // +optional SecurityContexts PolicyServerSecurity `json:"securityContexts,omitempty"` }
PolicyServerSpec defines the desired state of PolicyServer
func (*PolicyServerSpec) DeepCopy ¶
func (in *PolicyServerSpec) DeepCopy() *PolicyServerSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerSpec.
func (*PolicyServerSpec) DeepCopyInto ¶
func (in *PolicyServerSpec) DeepCopyInto(out *PolicyServerSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyServerStatus ¶
type PolicyServerStatus struct { // Conditions represent the observed conditions of the // PolicyServer resource. Known .status.conditions.types // are: "PolicyServerSecretReconciled", // "PolicyServerDeploymentReconciled" and // "PolicyServerServiceReconciled" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions"` }
PolicyServerStatus defines the observed state of PolicyServer
func (*PolicyServerStatus) DeepCopy ¶
func (in *PolicyServerStatus) DeepCopy() *PolicyServerStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyServerStatus.
func (*PolicyServerStatus) DeepCopyInto ¶
func (in *PolicyServerStatus) DeepCopyInto(out *PolicyServerStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicySpec ¶
type PolicySpec struct { // PolicyServer identifies an existing PolicyServer resource. // +kubebuilder:default:=default // +optional PolicyServer string `json:"policyServer"` // Module is the location of the WASM module to be loaded. Can be a // local file (file://), a remote file served by an HTTP server // (http://, https://), or an artifact served by an OCI-compatible // registry (registry://). // If prefix is missing, it will default to registry:// and use that // internally. // +kubebuilder:validation:Required Module string `json:"module"` // Mode defines the execution mode of this policy. Can be set to // either "protect" or "monitor". If it's empty, it is defaulted to // "protect". // Transitioning this setting from "monitor" to "protect" is // allowed, but is disallowed to transition from "protect" to // "monitor". To perform this transition, the policy should be // recreated in "monitor" mode instead. // +kubebuilder:default:=protect // +optional Mode PolicyMode `json:"mode,omitempty"` // Settings is a free-form object that contains the policy configuration // values. // +optional // +nullable // +kubebuilder:pruning:PreserveUnknownFields // x-kubernetes-embedded-resource: false Settings runtime.RawExtension `json:"settings,omitempty"` // Rules describes what operations on what resources/subresources the webhook cares about. // The webhook cares about an operation if it matches _any_ Rule. Rules []admissionregistrationv1.RuleWithOperations `json:"rules"` // FailurePolicy defines how unrecognized errors and timeout errors from the // policy are handled. Allowed values are "Ignore" or "Fail". // * "Ignore" means that an error calling the webhook is ignored and the API // request is allowed to continue. // * "Fail" means that an error calling the webhook causes the admission to // fail and the API request to be rejected. // The default behaviour is "Fail" // +optional FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"` // Mutating indicates whether a policy has the ability to mutate // incoming requests or not. Mutating bool `json:"mutating"` // BackgroundAudit indicates whether a policy should be used or skipped when // performing audit checks. If false, the policy cannot produce meaningful // evaluation results during audit checks and will be skipped. // The default is "true". // +kubebuilder:default:=true // +optional BackgroundAudit bool `json:"backgroundAudit"` // matchPolicy defines how the "rules" list is used to match incoming requests. // Allowed values are "Exact" or "Equivalent". // // - Exact: match a request only if it exactly matches a specified rule. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. // // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. // // Defaults to "Equivalent" // +optional MatchPolicy *admissionregistrationv1.MatchPolicyType `json:"matchPolicy,omitempty"` // ObjectSelector decides whether to run the webhook based on if the // object has matching labels. objectSelector is evaluated against both // the oldObject and newObject that would be sent to the webhook, and // is considered to match if either object matches the selector. A null // object (oldObject in the case of create, or newObject in the case of // delete) or an object that cannot have labels (like a // DeploymentRollback or a PodProxyOptions object) is not considered to // match. // Use the object selector only if the webhook is opt-in, because end // users may skip the admission webhook by setting the labels. // Default to the empty LabelSelector, which matches everything. // +optional ObjectSelector *metav1.LabelSelector `json:"objectSelector,omitempty"` // SideEffects states whether this webhook has side effects. // Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). // Webhooks with side effects MUST implement a reconciliation system, since a request may be // rejected by a future step in the admission change and the side effects therefore need to be undone. // Requests with the dryRun attribute will be auto-rejected if they match a webhook with // sideEffects == Unknown or Some. SideEffects *admissionregistrationv1.SideEffectClass `json:"sideEffects,omitempty"` // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, // the webhook call will be ignored or the API call will fail based on the // failure policy. // The timeout value must be between 1 and 30 seconds. // Default to 10 seconds. // +optional // +kubebuilder:default:=10 TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"` }
func (*PolicySpec) DeepCopy ¶
func (in *PolicySpec) DeepCopy() *PolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
func (*PolicySpec) DeepCopyInto ¶
func (in *PolicySpec) DeepCopyInto(out *PolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyStatus ¶
type PolicyStatus struct { // PolicyStatus represents the observed status of the policy PolicyStatus PolicyStatusEnum `json:"policyStatus"` // PolicyMode represents the observed policy mode of this policy in // the associated PolicyServer configuration PolicyMode PolicyModeStatus `json:"mode,omitempty"` // Conditions represent the observed conditions of the // ClusterAdmissionPolicy resource. Known .status.conditions.types // are: "PolicyServerSecretReconciled", // "PolicyServerConfigMapReconciled", // "PolicyServerDeploymentReconciled", // "PolicyServerServiceReconciled" and // "AdmissionPolicyActive" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:"conditions,omitempty"` }
PolicyStatus defines the observed state of ClusterAdmissionPolicy and AdmissionPolicy
func (*PolicyStatus) DeepCopy ¶
func (in *PolicyStatus) DeepCopy() *PolicyStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.
func (*PolicyStatus) DeepCopyInto ¶
func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyStatusEnum ¶
type PolicyStatusEnum string
+kubebuilder:validation:Enum=unscheduled;scheduled;pending;active
const ( // PolicyStatusUnscheduled is a transient state that will continue // to scheduled. This is the default state if no policy server is // assigned. PolicyStatusUnscheduled PolicyStatusEnum = "unscheduled" // PolicyStatusScheduled is a transient state that will continue to // pending. This is the default state if a policy server is // assigned. PolicyStatusScheduled PolicyStatusEnum = "scheduled" // PolicyStatusPending informs that the policy server exists, // we are reconciling all resources PolicyStatusPending PolicyStatusEnum = "pending" // PolicyStatusActive informs that the k8s API server should be // forwarding admission review objects to the policy PolicyStatusActive PolicyStatusEnum = "active" )
type ReconciliationTransitionReason ¶
type ReconciliationTransitionReason string
const ( // ReconciliationFailed represents a reconciliation failure ReconciliationFailed ReconciliationTransitionReason = "ReconciliationFailed" // ReconciliationSucceeded represents a reconciliation success ReconciliationSucceeded ReconciliationTransitionReason = "ReconciliationSucceeded" )